AWS - IAM

IAM Policies Federation STS and MFA

Identity Federation

Identity federation enables users authenticated by an external Identity Provider (IdP) to access AWS resources without managing separate AWS credentials. By establishing a trust relationship between your IdP and AWS Security Token Service (STS), you can issue temporary, scoped credentials that improve security and simplify user management.

How Identity Federation Works

When you federate identities with AWS:

  1. A user signs in to your organizational IdP (e.g., Active Directory Federation Services, Okta).
  2. The IdP returns an authentication response (SAML assertion, OIDC token).
  3. Your application or client calls AWS STS to exchange the response for temporary credentials.
  4. AWS STS issues short-lived security credentials (access key ID, secret access key, session token).
  5. The user or application uses these credentials to call AWS APIs.

Note

Temporary credentials are valid for a limited duration (from 15 minutes up to 12 hours). Always request only the permissions required to follow the principle of least privilege.

AWS Federation Standards

AWS supports multiple federation protocols, enabling integration with on-premises directories, web identity providers, and custom IdPs.

ProtocolUse CaseAWS Integration
SAML 2.0Enterprise federation (LDAP, Active Directory)AssumeRoleWithSAML API
OpenID ConnectModern web/mobile appsAssumeRoleWithWebIdentity API
OAuth 2.0Granular authorization for APIsSupported via OIDC/OAuth flows

The image illustrates identity federation standards with AWS, featuring SAML 2.0, OpenID Connect, and OAuth 2.0.

Web Identity Federation

Web and mobile applications can let users sign in with social or external IdPs (e.g., Facebook, Google, Amazon, Apple). The flow typically follows these steps:

  1. User selects a provider (e.g., Google) on your app’s login page.
  2. User authenticates and the provider returns an identity token (OIDC ID token).
  3. App calls AssumeRoleWithWebIdentity on AWS STS, passing the token.
  4. STS returns temporary AWS credentials.
  5. App uses these credentials to access AWS services on behalf of the user.
aws sts assume-role-with-web-identity \
  --role-arn arn:aws:iam::123456789012:role/WebIdentityRole \
  --role-session-name WebSession \
  --web-identity-token file://token.jwt

The image illustrates a web identity federation process, showing how a user can authenticate through various identity providers (like Facebook, Google, Amazon, and Apple) to access AWS resources via the AWS Security Token Service.

Warning

Do not embed long-lived AWS keys in your mobile or browser-based applications. Always use temporary credentials obtained through web identity federation.

Benefits of AWS Identity Federation

  • Simplified User Management
    Leverage existing corporate or social identities—no separate AWS passwords.
  • Centralized Access Control
    Define policies in IAM roles and manage permissions in one place.
  • Enhanced Security
    Temporary, automatically rotated credentials reduce the risk of compromised keys.

Watch Video

Watch video content

Previous
AWS Resource Access Manager